Businesses Underestimate Long-Term Effects of Cyber Attacks: Lloyd’s Report

Businesses could face a much higher bill than they expect or are prepared for after falling victim to a cyber-attack, according to research from Lloyd’s in association with KPMG and legal firm DAC Beachcroft.

As businesses increasingly become the target of sophisticated hacking attacks, they need to properly prepare themselves or face a hefty bill, including “slow burn” costs such as reputational damage, litigation and loss of competitive edge, said the report titled “Closing the gap – insuring your business against evolving cyber threats.”

The report looks at the nature of the current cyber risk landscape as well as top threats by industry sector.

The research identifies ransomware – such as the WannaCry worldwide ransomware attack last month and the latest attack this week – as a rapidly increasing threat, together with distributed denial-of-service attacks and “CEO fraud” where cyber criminals pose as senior executives in order to access sensitive information.

The analysis also said that financial services firms are the most targeted by organized cyber crime, but that retail is also increasingly being targeted.

“The reputational fallout from a cyber breach is what kills modern businesses. And in a world where the threat from cyber-crime is when, not if, the idea of simply hoping it won’t happen to you, isn’t tenable,” said Inga Beale, CEO of Lloyd’s.

“To protect themselves businesses should spend time understanding what specific threats they may be exposed to and speak to experts who can help handle a breach, minimize reputational harm and arrange cyber insurance to ensure that the risks are adequately covered,” she said.

“By reacting swiftly to mitigate the impact of a cyber breach once it has occurred, companies will be able to minimize the immediate costs and their exposure to subsequent slow burn costs,” Beale added.

“Cyber risk has moved up in the business agenda and businesses are taking measures to prepare themselves,” said Matthew Martindale, director in KPMG’s cyber security practice.

“However, they are failing to factor in the long-term damage that a breach can cause and the cost implications of it,” Martindale emphasized. “Dealing with things like reputational issues and litigation in the aftermath of a breach, can add substantial costs to the overall loss. Businesses really need to start thinking about the cyber risk holistically rather than one that is currently very short sighted.”

“While the immediate business impact of a breach could be significant for any organization, it may only be the tip of the iceberg when it comes to dealing with the legal consequences which may last months or even years,” according to Hans Allnutt, Partner, head of Cyber & Data Risk at DAC Beachcroft.

“Once notified, it is not uncommon for regulatory investigations to take more than a year before they reach a conclusion,” he said. “Subsequent litigation can take even longer, particularly because the law surrounding data security and privacy is a relatively evolving area. In one UK data protection case, it took three years and a failed appeal before the litigation was finally settled.”

The report’s key findings are:

• Ransomware and distributed denial-of-service attacks are increasingly used against businesses, with healthcare and media and entertainment particularly targeted. For example, Beazley, a Lloyd’s underwriter, has seen a fourfold increase in ransomware attacks on its customers from 2014 to 2016. It predicts the number of attacks will double again this year.
• The financial services sector finds itself at the sharp end of targeted attacks by organized cyber crime but retail is increasingly being targeted. Criminals are becoming more financially savvy, and have started to target bank systems and financial infrastructure.
• Oil and gas firms can find themselves caught up in national politics and can be the subject of espionage as well as occasional high-end disruptive attacks; they essentially become political cyber footballs.
• The public sector and telecommunications sectors are highly susceptible to espionage-focused cyber-attacks.
• There has been a major growth in targeting companies through CEO fraud, i.e. perpetrators posing as a senior executive to elicit sensitive information. This is resulting in significant financial losses.

Resources:

The full report – “Closing the gap – insuring your business against evolving cyber threats” – is available online from Lloyd’s.

Related:

• ‘WannaCry’-Like Cyber Attack Spreading to Firms Globally
• Cyber Breaches Permanently Hit Share Prices, Especially Financials: Study
• Cyber Attack on Britain’s TalkTalk Telecom Cost $115M and 101,000 Customers
• London Insurance Market Vulnerable to Major Cyber Attack: Xchanging Survey